We discussed gathering use cases on how scanning reports might be used. Please add/discuss use cases below.
Use Case: PCI Compliance
“No image containing a CVE with a CVSS score >=7 can be deployed for our PCI compliance.” - this is a paraphrased version of a statement made by a user. If somebody knows PCI better, it appears the specific requirement is simply that “High” risk vulnerabilities are not allowed to exist.
A to-be-created policy engine should be able to determine whether there are any vulnerabilities meeting the user’s threshold and prevent deployment, or in the case of already running services, be part of a larger monitoring system that can help the user identify running services that need to be remediated.
Use Case: License auditing
“I need to know all the software licenses in use by packages within my image.” This is mostly for auditing but it is also possible an organization will have specific requirements around not using software that has a specific license, therefore I may also need to be a runtime check. As far as I know, it’s not possible to retroactively change a license so no further license inspection would be required of deployed services.